Data Processor Addendum
Background:
(1) AskSenti Ltd is a company registered in England and Wales under company number 09499330 whose registered office is at 320d High Road, Benfleet, Essex, England, SS7 5HB (the “Service Provider”).
(2) The Customer (the “Customer”) and AskSenti Ltd entered into a pricing plan incorporating the terms and conditions.
(3) Addendum to an agreement between the Customer and the Service Provider for the provision of services related to access and use of the Service Provider’s software as a service (the"Services Agreement").
(4) This DPA is between AskSenti Ltd and the Customer (each a "Party" and collectively the "Parties"), pursuant to the Services Agreement.
Agreement:
The parties agree that the terms and conditions set out below shall be added as an addendum to the Services Agreement. Except where the context requires otherwise, references in this Addendum to the Services Agreement are to the Services Agreement as amended by, and including, this Addendum.
1. Status of this Agreement
1.1 In consideration of the Customer agreeing to provide or procure the provision of personal data to the Service Provider, the parties have agreed that this Addendum forms part of and supplements the Services Agreement. Except as modified by this Addendum, the terms of the Services Agreement shall remain in full force and effect.
1.2 Nothing in this Addendum permits the Service Provider to process (or permit the processing of) personal data in a manner which is prohibited by the Services Agreement.
1.3 Subject to clause 1.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Services Agreement, the provisions of this Addendum shall prevail.
2. Compliance with Data Protection Legislation
The Service Provider shall comply with all Data Protection Legislation in processing personal data in connection with the Services Agreement.
3. Appointment
The parties acknowledge that, where the Service Provider processes personal data in the course of providing services under the Services Agreement (the "Processed Personal Data"), the Service Provider will carry out that processing as a processor on behalf of the Customer (in each case, the "Controller") as controller. The Customer, in its own right and on behalf of each other Controller, appoints the Service Provider to process personal data on behalf of the Controller on the terms of this Addendum and the Services Agreement
4. Instructions to Service Provider to process personal data
4.1 The Service Provider shall:
4.1.1 process the Processed Personal Data only on documented instructions from the Controller unless required to do so by European Union or Member State law to which the Service Provider is subject; in such a case, the Service Provider shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest,
4.1.2 not transfer the Processed Personal Data to a country outside the EEA or to an international organisation; and
4.1.3 immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the Data Protection Legislation.
4.2 The Customer (in its own right and on behalf of each other Controller) hereby:
4.2.1 instructs the Service Provider to take such steps in the processing (other than international transfer as referred to in clause 4.1.2) of the Processed Personal Data as the Service Provider reasonably considers necessary to the performance of its obligations under the Services Agreement; and
4.2.2 subject to clauses 5.4 and 5.5, authorises the Service Provider to give equivalent instructions to each sub-processor to enable the Service Provider to carry out its obligations under this Addendum.
4.3 The description of the processing of the Processed Personal Data set out in Annex 1 to this Addendum forms part of this Addendum (but for information only and without imposing any obligation or conferring any right on either party). The Customer may by notice to the Service Provider from time to time make such changes to Annex 1 as are reasonably necessary to meet the requirements of Article 28(3) of the GDPR or any other Data Protection Legislation regarding information to be recorded in an agreement between a controller and a processor.
5. Processing obligations
Confidentiality
5.1 The Service Provider shall keep all Processed Personal Data confidential and ensure that persons authorised by it under the terms of the Services Agreement to process the Processed Personal Data have undertaken to keep the Processed Personal Data confidential or are under an appropriate statutory obligation of confidentiality.
Security
5.2 The Service Provider shall implement appropriate technical and organisational measures to protect the Processed Personal Data.
5.3 In assessing the appropriate level of security, the Service Provider shall take account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Service Provider’s engagement of sub-processors
5.4 The Service Provider may only authorise or otherwise allow a sub-processor to process the Processed Personal Data subject to the Customer's prior written consent. However, where a sub-processor supplies information technology services to the Service Provider that are indispensable to the processing of Processed Personal Data under the Services Agreement, the Service Provider may engage such sub-processor without prior written consent (subject to clause 4.1.2), provided that the Service Provider shall inform the Customer before it appoints such sub-processor, and provides all such information as the Customer reasonably requests. Before proceeding with the appointment, the Service Provider shall give the Customer the opportunity to object, and take reasonable account of any comments or objections that the Customer may raise.
5.5 The appointment of sub-processors under clause 5.4 above is subject to: (a) the Service Provider procuring that the sub-processor complies with the terms of this Addendum as if it were the Service Provider; (b) the Service Provider has a written contract in place with the sub-processor on terms which are at least equivalent to those set out in this Addendum and in respect of which the Customer is given the benefit of third party rights to enforce the same; (c) the sub-processor’s access to the Processed Personal Data terminates automatically on termination of the Services Agreement, and (d) the Service Provider remaining fully liable to the Customer for the performance of all sub-processors’ obligations.
Data subject rights and personal data breaches
5.6 The Service Provider shall assist the Controller by adopting appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject's rights laid down in Data Protection Legislation.
5.7 The Service Provider shall assist the Controller, at the Controller’s request, in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR or in other Data Protection Legislation regarding security of processing, notification of personal data breaches, data protection impact assessments and prior consultation with the data protection supervisory authority, taking into account the nature of processing and the information available to the Service Provider.
5.8 Without undue delay but in any case not longer than 24hrs from becoming aware of the breach The Service Provider shall notify the Customer or a sub-processor becoming aware of any personal data breach in relation to the Processed Personal Data and provide all reasonable assistance required by the Customer in respect of such personal data breach, including providing details of the incident, the personal data compromised and how the incident is being investigated and remedial steps.
5.9 The Service Provider shall not make any notification of the personal data breach to the affected data subject(s) or to any supervisory authority or other regulatory authority except as directed by the Controller. The Service Provider shall rectify all issues arising from such incident at its own expense, do all such things as necessary to assist the Customer in mitigating the effects of the breach, and implement any measures necessary to restore the security of any compromised personal data.
Duration of processing and return/destruction of personal data
5.10 At the end of the provision of services relating to the processing of Processed Personal Data, at the choice of the Customer, the Service Provider shall delete or return to the Customer all such Processed Personal Data as is in its possession or under its control, and (in the case of return) delete all other existing copies unless (and then only for so long as) European Union or Member State law requires continued storage of the Processed Personal Data. If the Customer does not notify the Service Provider of its choice, the Service Provider shall return all Processed Personal Data. The Service Provider shall bear the cost of deleting or returning the Processed Personal Data to the Customer.
Compliance
5.11 The Service Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this Addendum and the obligations set out in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or its authorised representative.
6. Interpretation and governing law
6.1 In this Addendum:
"GDPR" means EU General Data Protection Regulation 2016/679, including any supplementing or underlying laws or regulations, in each case as modified, re-enacted or replaced from time to time; and
“Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy, including (without limitation) the Data Protection Act 2018 and the GDPR for so long as it is directly applicable in the UK, and any national implementing laws, regulations and secondary legislation and where applicable the guidance and codes of practice issued by the UK Information Commissioner (and where the terms “personal data”, “process”, “processing”, “processed”, “processes”, “data controller”, “data processor” and “data subject” are used in this Agreement they shall be construed in accordance with the Data Protection Legislation.
6.2 Terms defined for the purposes of the GDPR have the same meanings in this Addendum (and similar terms are to be interpreted accordingly).
6.3 All provisions in the Services Agreement relating to the processing of personal data under the Services Agreement are deleted and replaced by the provisions in this Addendum.
6.4 The Service Provider shall indemnify, defend and hold harmless the Customer from and against all and any losses, claims, liabilities, costs, charges, expenses, awards and damages of any kind including any fines and legal and other professional fees and expenses (irrespective of whether they were reasonably foreseeable or avoidable) which it/they may suffer or incur as a result of, or arising out of or in connection with, any breach by the Service Provider of any of its obligations in this Addendum. Nothing in the Service Agreement shall exclude or otherwise limit the Service Provider’s liability under this indemnity.
6.5 Each Customer shall be entitled to rely on, and enforce, the terms of this Addendum that confer a benefit on it, but otherwise, a person who is not a party to this Agreement shall not have any rights to enforce any term of this Agreement.
6.6 Notwithstanding anything to the contrary in the Services Agreement, this Addendum contains the entire agreement between the Customer and the Service Provider for all purposes in relation to the Service Provider's obligations and liability in relation to the Processed Personal Data under the Services Agreement. The terms of this Addendum shall prevail over the Services Agreement.
6.7 This Addendum may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute one agreement. No counterpart shall be effective until each party has executed at least one counterpart.
6.8 This Addendum shall be governed and interpreted under English law and the English courts shall exclusive jurisdiction over all disputes (both contractual and non-contractual) between the Customer and the Services Provider in relation to all matters arising out of or in connection with of this Addendum.
Annex 1
Data Processing Details
Data Exporter: Customer
Data Importer: AskSenti Ltd
Subject matter
The Service Provider will provide the services as described in the Services Agreement.
Duration
The term of the Services Agreement.
Nature and purpose of processing
The Processed Personal Data will be subject to the one or more of the following processing activities, (1)holding/storing, (2) referencing, (3) disposing/destroying, (4) analysing, (5) altering/updating, (6) using/applying,(7) transferring to third parties, and such other processing activities as may be instructed by the Customer from time to time. The purpose of the processing will be for the purpose of providing services described in the Services Agreement.
Data subjects
The personal data transferred concerns the following categories of individuals:
☒ Company's staff - including past, current and prospective Directors, employees, contractors, volunteers, agents, temporary and casual workers of Group Companies and JVs (including past, current and prospective members of staff)
☒ Customers and clients (including past, current and prospective customers/clients)
Categories of data
The personal data transferred concerns the following categories of data:
☒ Names
☒ Personal addresses
☒ Personal contact details
☒ Licence plate numbers
☒ Work contact details
☒ Job details
☒ Employee identification numbers
☒ Payroll numbers
☒ Remuneration details
☒ Place of birth
☒ Date of birth
☒ Gender
☒ Marital status
☒ Personal relationship
☒ Assignment details
☒ Performance review/rating
☒ Tax withholding rates
☒ Bank details
☒ Signatures
☒ Accident and near miss records
☒ Pension details
☒ Preferences and past actions on the Controller’s websites
☒ Location data
☒ IP addresses
☒ Photos and digital images
☒ National or foreign identification numbers
☒ Passport and or visa details
☒ Nationalities
Special categories of data
The personal data transferred concerns the following special categories of data:
☒ Racial/ethnic origin
☒ Political opinion
☒ Religious/Philosophical beliefs
☒ Criminal convictions/offences
☒ Data concerning sex life or sexual orientation
